It may seem like HIT is a minefield loaded with numerous hidden costs and human expenditures that can send an organization on the path to self-destruction. Today's headlines are filled with failures, whether they be enormous data breaches or millions of dollars lost to failed attempts at implementing new technology.

In reality, the number of success stories likely outweigh the disasters. Conflicting surveys and mountains of hearsay add to the confusion. There are certainties, however. Almost no one can argue that cyberattacks are a serious threat to the well-being of just about every health care organization. Also, facilities are hungry for ways to measure whether these multimillion-dollar projects are worth the expense.

In an effort to shed light on these issues, For The Record (FTR) catches up with Rod Piechowski, senior director of health information systems at HIMSS North America, to ascertain his thoughts on the current situation.

FTR: When it comes to cybersecurity, where are health care organizations falling short?

RP: According to the 2016 HIMSS Cybersecurity Survey, health care organizations struggle to find enough cybersecurity professionals required to implement the kind of technologies and processes needed to stay ahead of the rapidly changing threat landscape. This is an area that needs more people with the right types of skills sooner rather than later.

FTR: What can be done to remedy the situation?

RP: First, HIMSS and other organizations working in this space must help raise awareness of this need and encourage people who may have the aptitude to pursue roles in cybersecurity. Second, schools play a role in developing quality programs that will prepare people to work in this field. Of course, grants, loans, and other incentives to help with this type of education will be important as well.

FTR: In terms of cybersecurity, is a collaborative approach in which organizations share their experiences viable?

RP: It can be, if done correctly. The FBI encourages organizations that have had cybersecurity events to share information, but there is a natural reluctance by organizations, both in and out of health care, to share sensitive information about cyber events; therefore, it isn't widespread yet.

FTR: What role will HIMSS' new Cybersecurity Hub play in the battle against hackers?

RP: The HIMSS Cybersecurity Hub is designed to educate and empower people to play a role in maintaining a secure environment, whether it is in their personal or health care lives. The Hub offers high-quality and timely information that anyone can apply, shutting down several types of cyberattacks.

FTR: Switching gears, how can health care organizations best measure the value of HIT?

RP: There are no standard metrics for value yet. That's one of the reasons we developed the HIMSS Health IT Value STEPS framework. We know value exists in five domains: satisfaction, treatment and clinical, electronic secure data, patient engagement and population management, and savings. We've collected thousands of examples of health care organizations realizing value in each of these areas, and there is a wide variety of approaches taken. Each provider has a unique patient population and situation, so they approach value, whether it is in the form of better outcomes for their patients or better operational efficiencies, according to their needs. Our long-term goal is to identify the initiatives and metrics that work well and that can be implemented by other organizations. It's still early, and there is a lot of room for innovation here.

FTR: What are the factors that differentiate a successful HIT implementation from a failed one?

RP: Success is highly dependent on how well an organization manages change. An HIT implementation perceived largely as "an IT project" is doomed to failure because IT changes so much within an organization. It's about leadership from the top down, and for leaders that also means listening from the bottom up. Implementing IT for the sake of having technology is not a good reason to do so. A successful organization understands that IT is a tool that should be used to help achieve visions and strategies. If you can't demonstrate how technology supports the organizational vision, you're in trouble from the start. You also need very strong leaders throughout the organization who understand that relationship. In the best organizations we see, these champions are flexible, passionate, and respected. Technology in and of itself is just hardware; people make it happen.

FTR: What's next in the quest for a national patient identification system?

RP: Currently, the private sector is actively working to develop and advance technical solutions to patient identification and matching. As an example, HIMSS sponsors an innovator-in-residence at Health and Human Services (HHS) who is working on best practices for patient-matching algorithm attributes. In terms of the government's role, since the 1999 Labor-HHS Appropriations ban on promulgating a standard for the unique patient identifier was put in place, HHS has had limited engagement on this issue. The HIT stakeholder community has been actively educating members of Congress on the need to clarify that the intent of the ban is not to prevent HHS from working with stakeholders to develop a national strategy for patient data matching—the FY17 House Labor-HHS bill had accompanying report language that included this clarification.

FTR: Reportedly, some hospitals are reluctant to exchange health information for business interests. How can health care organizations be convinced that data sharing is in their best interests?

RP: The model is changing whether organizations like it or not, and information exchange will become an expected part of demonstrating that technology is being used to its potential. Providers will increasingly be measured on their outcomes, and not just with individuals but also with populations. The new models of accountable care organizations and the new Merit-based Incentive Payment System (MIPS) regulations will continue to influence this shift.